NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | SEE ALSO | NOTES
drv/ipsecesp
The ipsecesp module provides confidentiality, integrity, authentication, and partial sequence integrity (replay protection) to IP datagrams. The encapsulating security payload ("ESP ") encapsulates its data, so it only protects the data that follows its beginning in the datagram. If the packet is a TCP packet, ESP will encapsulate the TCP header and its data only. If the packet is an IP in IP datagram, ESP will protect the inner IP datagram. Per-socket policy allows "self-encapsulation" so ESP can encapsulate IP options if it needs to. See ipsec(7P) .
Unlike the authentication header ("AH ") , ESP allows multiple kinds of datagram protection. To use a single form of datagram protection can expose vulnerabilities. For example, only ESP can be used to provide confidentiality. But protecting confidentiality alone exposes vulnerabilities in both replay attacks and cut-and-paste attacks. Similarly, if ESP protects only integrity and does not fully protect against eavesdropping, it may provide weaker protection than AH . See ipsecah(7P) .
ESP is implemented as a module that is auto-pushed on top of IP . Use the /dev/ipsecesp entry to tune ESP with ndd(1M) , as well as to allow future algorithms to be loaded on top of ESP . ESP allows encryption algorithms to be pushed on top of it, in addition to the authentication algorithms that can be used in AH . Authentication algorithms include HMAC-MD5 and HMAC-SHA-1. See authmd5h(7M) and authsha1(7P) . Encryption algorithms include DES and Triple-DES . See encrdes(7M) and encr3des(7M) . Each authentication and encryption algorithm has its key size and key format properties. Because of export laws in the United States, not all encryption algorithms will be available outside of the United States.
ESP without authentication exposes vulnerabilities to cut-and-paste cryptographic attacks, as well as eavesdropping attacks. When ESP is used without confidentiality, it is as vulnerable to replay as AH is.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWcsr (32-bit) |
SUNWcsrx (64-bit) | |
Interface Stability | Evolving |
ipsecconf(1M) ,ndd(1M) ,attributes(5) ,authmd5h(7M) ,authsha1(7P) ,encrdes(7M) , encr3des(7M) ,ip(7P) ,ipsec(7P) ,ipsecah(7P)
Kent, S. and Atkinson, R.RFC 2406, IP Encapsulating Security Payload (ESP) , The Internet Society, 1998.
Due to United States export control laws, the encryption strength available on ESP will be weaker for versions of the SunOS sold outside the United States..
NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | SEE ALSO | NOTES